Using GFI LANguard from the command line

9.1 Introduction

In this chapter you will discover how to use the three command line tools bundled with GFI LANguard; ‘lnsscmd.exe’, ‘deploycmd.exe’ and

‘impex.exe’ These command line tools allow you to launch network vulnerability scans and patch deployment sessions as well as importing and exporting profiles and vulnerabilities without loading up the GFI LANguard management console.

Configured through a set of command line switches, the complete list of supported switches together with a description of the respective function is provided below.

9.2 Using ‘lnsscmd.exe’ - the command line scanning tool

The ‘lnsscmd.exe’ command line target-scanning tool allows you to run vulnerability checks against network targets directly from the command line, or through third party applications, batch files and scripts. The ‘lnsscmd.exe’ command line tool supports the following switches:

lnsscmd [Target] [/profile=profileName] [/report=reportPath]

[/output=pathToXmlFile] [/user=username /password=password]

[/UseComputerProfiles] [/email=emailAddress]

/Profile (Optional) Specify the scanning profile that will be used during a security scan. If this parameter is not specified, the scanning profile that is currently active in the GFI LANguard will be used.

NOTE: In the management console, the default (i.e.

currently active) scanning profile is denoted by the word (Active) next to its name. To view which profile is active expand the Configuration ► Scanning Profiles node.

/Output (Optional) Specify the full path (including filename) of the XML file where the scan results will be saved.

/Report (Optional) Specify the full path (including filename) of the HTML file where the scan results HTML report will be output/saved.

/User and /Password

(Optional) Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during security scanning. Alternatively you can use the /UseComputerProfiles switch to use the authentication credentials already configured in the Computer Profiles (Configuration ► Computer Profiles node).

/Email (Optional) Specify the email address on which the resulting report(s) will be sent at the end of this scan.

Reports will be emailed to destination through the mail server currently configured in the Configuration

► Alerting Options node (of the management console).

/DontShowStatus (Optional) Include this switch if you want to perform silent scanning. In this way, the scan progress details will not be shown.

/? (Optional) Use this switch to show the command line tool usage instructions.

NOTE: Always enclose full paths, and profile names within double quotes (i.e. ‘[path or profile name]’) for example, ‘Default’,

‘c:\temp\test.xml’.

The command line target-scanning tool allows you to pass parameters through specific variables. These variables will be automatically replaced with their respective value during execution. Supported variables include:

Supported variable

Description

%INSTALLDIR% During scanning, this variable will be replaced with the path to the GFI LANguard installation directory.

%TARGET% During scanning this variable will be replaced with the name of the target computer.

%SCANDATE% During scanning this variable will be replaced with the date of scan.

%SCANTIME% During scanning this variable will be replaced with the time of scan.

Example: How to launch target computer scanning from the command line tool.

For this example, we will be assuming that a scan with the following

lnsscmd.exe 130.16.130.1 /Profile="Default" /Output="c:\out.xml"

/Report="c:\result.html" /email="[email protected]"

9.3 Using ‘deploycmd.exe’ - the command line patch deployment tool

The ‘deploycmd.exe’ command line patch deployment tool allows you to deploy Microsoft patches and third party software on remote targets directly from the command line, or through third party applications, batch files or scripts. The ‘deploycmd.exe’ command line tool supports the following switches:

deploycmd [target] [/file=FileName] [/username=UserName /password=Password] [/UseComputerProfiles] [/warnuser]

[/useraproval] [/stopservices] [/customshare=CustomShareName]

[/reboot] [/rebootuserdecides] [/shutdown] [/deletefiles]

[/timeout=Timeout(sec)] [/?]

Switches:

Switch Description

Target Specify the name(s), IP or range of IPs of the target computer(s) on which the patch(es) will be deployed.

/File Specify the file that you wish to deploy on the specified target(s).

/User and /Password

(Optional) Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during patch deployment. Alternatively you can use the /UseComputerProfiles switch to use the authentication credentials already configured in the Computer Profiles (Configuration ► Computer Profiles node).

/warnuser (Optional) Include this switch if you want to inform the target computer user that a file/patch installation is in progress. Users will be informed through a message dialog that will be shown on screen immediately before the deployment session is started.

/useraproval (Optional) Include this switch to request the user’s approval before starting the file/patch installation process. This allows users to postpone the file/patch installation process for later (for example, until an already running process is completed on the target computer).

/stopservice (Optional) Include this switch if you want to stop specific services on the target computer before installing the file/patch.

NOTE: You cannot specify the services that will be stopped directly from the command line tool.

Services can only be added or removed through the management console.

/customshare (Optional) Specify the target share where you wish to transfer the file before it is installed.

/reboot (Optional Parameter) Include this switch if you want to reboot the target computer after file/patch deployment.

/rebootuserdecides (Optional Parameter) Include this switch to allow the current target computer user to decide when to reboot his computer (after patch installation).

/shutdown (Optional Parameter) Include this switch if you want to shutdown the target computer after the file/patch is installed.

/deletefiles (Optional Parameter) Include this switch if you want to delete the source file after it has been successfully installed.

/timeout (Optional Parameter) Specify the deployment operation timeout. This value defines the time that a deployment process will be allowed to run before the file/patch installation is interrupted.

/? (Optional) Use this switch to show the command line tool’s usage instructions.

Example: How to launch a patch deployment process from the command line tool.

For this example, we will be assuming that a patch deployment session with the following parameters is required: